Google, UK ISPs and Gov Battle Over Encrypted DNS and Censorship

The UK Government, broadband ISPs and the National Cyber Security Centre (NCSC) are set to meet on the 8th May 2019 in order to discuss Google’s forthcoming implementation of encrypted DNS (DoH – DNS over HTTPS), which politicians fear could break their internet censorship plans.

The existing Domain Name System (DNS), which works to convert Internet Protocol (IP) addresses into a human readable form (e.g. 123.56.32.1 to examplefakeblah.co.uk) and back again, is currently unencrypted and usually managed automatically by your ISP. This gives providers a lot of control over related traffic and enables various support features (Parental Controls, network performance testing etc.).

By comparison DNS over HTTPS (DoH) sends DNS requests via the encrypted HTTPS protocol and some major website browsers, such as Chrome (Google) and Firefox (Mozilla), are planning to introduce their own DoH solution. The result could be that ISPs lose a lot of their control over DNS, which would break some of their services including DNS based website blocking (e.g. the new porn site blocks will use DNS based censorship).

At this point we should remind readers that ISPreview.co.uk covered this topic in a lot more detail earlier this month (here), which is worth a read if you want to understand why the big ISPs have concerns about DoH; despite it effectively being a security improvement for consumers.

According to The Sunday Times, the Government are particularly concerned about the impact that all of this could have on their wider plans for internet censorship (i.e. not just breaking their porn block but also disrupting future ambitions under the Online Harms White Paper).

One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage (note: they can already do this without DoH), which they say might be held by Google under Californian law.

At this point we rather suspect that a collective “meh..“, possibly followed by some distinct shoulder shrugging, will be emanating from anybody with moderate I.T. experience. This is because DNS based blocking has always been easy to circumvent and consumers have always had the ability to adopt a third-party DNS provider (OpenDNS, Google Public DNS etc.).

One key difference here, other than encryption, is that Chrome and Firefox could make their own DoH solutions the default (so far neither have done so – it’s still optional, for now). Similarly if third-parties want to adopt DoH then there’s precious little that ISPs can do about that, save for perhaps making more extensive use of expensive Deep Packet Inspection (DPI) technology, but even this has its limits and problems.

Meanwhile the question that consumers may end up having to ask themselves is whether or not they’d rather let ISPs have access to their DNS data or Google/Mozilla. It’s also worth considering that many other third-parties may launch their own default DoH solutions in the future, which may further complicate matters. Some of the DNS based support features offered by ISPs are also quite useful, thus breaking them with DoH isn’t always desirable (likely to give ISP support teams a complex headache).

Suffice to say, it would be interesting to be a fly on the wall at next month’s meeting.